Why Europe’s Cyber Insurance Windfall Hasn’t Happened

New regulations have prompted more companies to look into such policies, but reasons vary as to why there hasn’t been a significant uptick in sales

In 2017, cyber premiums in the U.S. grew 54% to $2.1 billion, according to a special report from Fitch Ratings last month.
Photo:
Getty Images

By

Mengqi Sun

June 20, 2018

One of the biggest data-privacy laws in history was supposed to kick off a new era of surging demand for cyber insurance in Europe. So far, it hasn’t.

Late last month, the General Data Policy Regulation, or GDPR, went into full effect in Europe. The law constituted the largest change to the data-protection regulations in the European Union during the last two decades and one of the largest ever globally. It mandated that all companies, including those that aren’t based in EU but have European customers, get clients’ consent before collecting and processing their personal data.

The heavier hand had many insurance executives and analysts forecasting a sales spike for cyber insurance. Cyber policies vary in their coverage but often provide compensation for repair of a network, recovery of lost data, lost revenue, and damaged reputation caused by data breaches and ransomware. These products also can help companies manage their risks as they work to comply with new rules.

The cost of the policies varies widely, depending on the needs of a company and the industry it is in.
Aon
PLC, one of the biggest brokerage firms, handles policies as small as $650 in total premium to upwards of over $9,000,000 for stand-alone cyber programs.

But while the regulations have led to more companies examining cyber insurance, there hasn’t been a significant uptick in sales.

“We’re optimistic that we’ll see more,” said
Paul Bantick,
cyber-focus group leader at
Beazley
PLC. “But in the future, it’s not going to be necessarily a huge boom…it would probably be more gradual.”

The expectations for growth largely were driven by an examination of sales in the U.S. during the last year. Amid large-scale data breaches and cyberattacks, cyber has become one of the fastest-growing markets in the U.S., where 48 states require companies to notify individuals if their data is compromised.

In 2017, cyber premiums in the U.S. grew 54% to $2.1 billion, according to a special report from Fitch Ratings last month. The U.S. market currently represents 90% of the global premium in cyber.

In comparison, Aon says its cybersales in Europe grew 25% in 2017, attributed mostly to an increase in new clients. The company says it hasn’t seen a spike in sales in response to the GDPR, and the U.S. market still holds 65% of its book, according to Shannan Fort, who leads Aon’s cyber-product development in London.

One reason sales haven't taken off is one detail of the GDPR. As part of the regulation, companies face the risk of hefty fines of up to 20 million euros or 4% of global revenue. But whether the fines are insurable in each country is unclear, a decision that is up to local regulators.

This lack of clarity in what is insurable and the level of enforcement in each country has made it difficult to standardize the policy, according to
Emy Donavan,
the global head for cyber, media and tech PI at Allianz Global Corporate & Specialty in San Francisco.

“It varies from company to company, because there is no reliable actuarial info to help us set prices,” Ms. Donavan said. “The market is pretty all over the map and [varies] from country to country.”

Compared with the regulations in the U.S., which came in relatively quickly, the enactment of GDPR spanned eight years. The long runway seems to have given companies more time to enroll in cyber insurance and spread out the increase in demands, Mr. Bantick said.

Some insurance analysts say the ramp up is just a matter of time. Companies have to identify where to finance the purchase in their budgets and line up cash to make the acquisition. For many companies, GDPR raises awareness but doesn’t change the fact that many have been looking for more protection from insurance for years, according to
James Auden,
a cyber analyst at Fitch Ratings.

“GDPR would be just one of many factors why a company would explore a cyber-insurance policy,” an Allianz Europe spokesperson said in an email.

The biggest threats also are constantly changing.

An analysis by
American International Group Inc.
in London shows that ransomware accounts for 26% of its 2017 cyber claims in Europe, compared with 12% of data breaches by hackers. Ransomware was on average 16% of claims for the period from 2013 to 2016.

Even so, the hope for many in the industry is that it is just a matter of time.

“The fact that people are already buying means that they understand the conceptual risks,” Ms. Donavan said. “I do believe we will see a lot of more companies interested in getting risk-transfer options through cyber insurance. But it takes a little while.”

Corrections & Amplifications Paul Bantick is the cyber-focus group leader at Beazley PLC. An earlier version of this article incorrectly stated Beazley was a unit of Lloyd’s of London. (June 21, 2018)